Skip to main content

Jenkins Multiple Vulnerabilities

Release Date: 30 Jan 2024 2892 Views

RISK: Extremely High Risk

TYPE: Operating Systems - Mobile & Apps

TYPE: Mobile & Apps

Multiple vulnerabilities were identified in Jenkins. A remote attacker could exploit some of these vulnerabilities to trigger remote code execution, sensitive information disclosure, cross-site scripting and security restriction bypass on the targeted system.

 

Note:

For CVE-2024-23897, arbitrary file read vulnerability through the CLI can lead to RCE. The CVE-2024-23897 vulnerability is being exploited in the wild.

 

CVE-2024-23897 affects Jenkins weekly versions up to and including 2.441, Jenkins LTS versions up to and including 2.426.2.


Impact

  • Remote Code Execution
  • Information Disclosure
  • Security Restriction Bypass
  • Cross-Site Scripting

System / Technologies affected

  • Jenkins weekly up to and including 2.441
  • Jenkins LTS up to and including 2.426.2
  • Git server Plugin up to and including 99.va_0826a_b_cdfa_d
  • GitLab Branch Source Plugin up to and including 684.vea_fa_7c1e2fe3
  • Log Command Plugin up to and including 1.0.2
  • Matrix Project Plugin up to and including 822.v01b_8c85d16d2
  • Qualys Policy Compliance Scanning Connector Plugin up to and including 1.0.5
  • Red Hat Dependency Analytics Plugin up to and including 0.7.1

 


Solutions

Before installation of the software, please visit the vendor web-site for more details.

Apply fixes issued by the vendor:

 

  • Jenkins weekly should be updated to version 2.442
  • Jenkins LTS should be updated to version 2.426.3
  • Git server Plugin should be updated to version 99.101.v720e86326c09
  • GitLab Branch Source Plugin should be updated to version 688.v5fa_356ee8520
  • Matrix Project Plugin should be updated to version 822.824.v14451b_c0fd42
  • Qualys Policy Compliance Scanning Connector Plugin should be updated to version 1.0.6
  • Red Hat Dependency Analytics Plugin should be updated to version 0.9.0

Vulnerability Identifier


Source


Related Link